STG Security Advisory 2005-01-20.22

2005-01-25T00:00:00
ID PACKETSTORM:35839
Type packetstorm
Reporter STG Security
Modified 2005-01-25T00:00:00

Description

                                        
                                            `  
  
STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure  
vulnerability.  
  
Revision 1.0  
Date Published: 2005-01-20 (KST)  
Last Update: 2005-01-20 (KST)  
Disclosed by SSR Team (advisory@stgsecurity.com)  
  
Summary  
========  
JSBoard is one of widely used web BBS applications in Korea. Because of an  
input validation flaw, a malicious attacker can read arbitrary files.  
  
Vulnerability Class  
===================  
Implementation Error: Input validation flaw  
  
Impact  
======  
Medium : arbitrary file disclosure  
  
Affected Products  
================  
JSBoard 2.0.9 and prior.  
  
Vendor Status: FIXED  
====================  
2004-12-31 Vulnerability found.  
2004-12-31 JSBoard developer notified.  
2005-01-02 Developer confirmed.  
2005-01-02 Update version released.  
2005-01-20 Official release.  
  
Details  
=======  
PHP has a feature discarding the input values containing null characters  
when magic_quotes_gpc = off. Because JSBoard session.php doesn't sanitize  
$table variable, a malicious attacker can read arbitrary files.  
  
- ---  
include_once "include/print.php";  
parse_query_str();  
$opt = $table ? "&table=$table" : "";  
$opts = $table ? "?table=$table" : "";  
...snip...  
- ---  
  
Proof of Concept  
================  
A local web proxy (e.g., Achilles) is required to prove the vulnerability.  
  
http://[victim]/session.php?logins=true&m=logout&table=../../../../../../etc  
/passwd%00  
  
Solution  
=========  
Upgrade to 2.0.10  
http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz  
  
Vendor URL  
==========  
http://kldp.net/projects/jsboard/  
  
Credits  
======  
Jeremy Bae at STG Security  
`